Some thoughts on The Disruption Machine. I only just read it, but apparently I’m late to the party. I can’t help but think it’s funny that writing up a review of an article three days before it’s publication counts as too late. (I think it arrived on Wednesday, I read it yesterday at lunch, and today I’m writing. I apologize for my tardiness.)

more...

Because it’s summer and therefore nice and warm (or terribly, impossibly warm) out, I go outside and walk around the city. Because it’s a city, that means people ask me for money. Sometimes it’s grizzled old men sitting on a stoop. Sometimes it’s chipper young people who jump in front of me. Guess which group this post is about.

It’s one thing (an annoying thing, but borderline acceptable) to stand in the middle of the sidewalk so that I have to go around instead of walking in a straight line. Watching me course correct, then side stepping to block my path and accost me is never acceptable. I deal with this by making a mental note of the responsible organization and then blacklisting them for one month. Penalties accrue. This summer’s front runner appears to be Planned Parenthood, though it will be some time before they overtake the all time record holder. Two summers ago the ACLU accosted me more than once per day on average, earning them an effective lifetime ban.

The stupid part is I’m generally in agreement with these organizations, disagreeing more in degree than kind. The problem seems to be that unlike the local neighborhood homeless beggars, the political beggars are shipped in from elsewhere. I imagine the college job fair pitch goes something like “travel the country and harass strangers with like minded hotties”. The result is that it’s a new beggar every day with no recollection of the previous dozen encounters. Even the duck tour people learn to recognize me as a resident and leave me alone. (Presumably the political beggars set up shop all summer long to get in on the tourist trade, but since the duck tour peddlers have claimed all the good corners, they get pushed out to areas that are in fact mostly locals.)

A short while ago, I converted some memcmp calls in libssl to CRYPTO_memcmp. As noted at the time, it’s easier to assume something is secret and sensitive to timing attacks than to prove it’s not. However, one must be a little cautious because CRYPTO_memcmp, unlike its libc namesake memcmp, is actually an equality function (zero or not-zero) and not a comparison function (negative, zero, positive for less than, equal, greater than). (Don’t confuse it with OPENSSL_memcmp, which does have memcmp semantics, but is vulnerable to timing attacks because it’s not constant time.)

more...

A few days ago, jsing fixed a bug in libssl. It’s not the end of the world, but it’s a bug. Here’s the diff.

 int
 ssl3_final_finish_mac(SSL *s, const char *sender, int len, unsigned char *p)
 {
-	int ret;
-	ret = ssl3_handshake_mac(s, NID_md5, sender, len, p);
-	p += ret;
-	ret += ssl3_handshake_mac(s, NID_sha1, sender, len, p);
-	return (ret);
+	int ret_md5, ret_sha1;
+
+	ret_md5 = ssl3_handshake_mac(s, NID_md5, sender, len, p);
+	if (ret_md5 == 0)
+		return 0;
+	p += ret_md5;
+	ret_sha1 = ssl3_handshake_mac(s, NID_sha1, sender, len, p);
+	if (ret_sha1 == 0)
+		return 0;
+	return (ret_md5 + ret_sha1);
 }
 
 static int

Two variables are introduced, one for each function called, and the local variable for this function’s return value is removed.

Now look at the OpenSSL fix for the same bug.

 int ssl3_final_finish_mac(SSL *s, 
 	     const char *sender, int len, unsigned char *p)
 	{
-	int ret;
+	int ret, sha1len;
 	ret=ssl3_handshake_mac(s,NID_md5,sender,len,p);
+	if(ret == 0)
+		return 0;
+
 	p+=ret;
-	ret+=ssl3_handshake_mac(s,NID_sha1,sender,len,p);
+
+	sha1len=ssl3_handshake_mac(s,NID_sha1,sender,len,p);
+	if(sha1len == 0)
+		return 0;
+
+	ret+=sha1len;
 	return(ret);
 	}
 static int ssl3_handshake_mac(SSL *s, int md_nid,

A new variable is introduced for one function, but the existing variable for this function’s return value continues to be used to store a called function’s return.

Why is this bad? As alluded to earlier, improper return checking bugs are rampant in TLS libraries. Apple’s #gotofail bug and the following week’s GnuTLS bypass were both caused by setting a return code too soon, and then bubbling it up. Here we have the identical bug (diminished in severity), and the opportunity to correct a poor practice by eliminating semantic overloading of variables. Why not take it?

A short program to demonstrate network filtering with Lua. Although the kernel provides pf filtering and some bandwidth shaping facilities, they don’t cover every scenario. For example, consider the case where our server is connected to a network port where we pay for some amount of bandwidth, but have burstable speeds much faster than that. Commonly seen as 95th percentile billing. As long as we’re under our five minute quota, we want to pass traffic full speed, but as we approach that mark, we want to start clamping down. The pf.conf burst queueing rules can’t quite handle this situation.

For more flexibility, we can pass all our network traffic through userland using tun and have an arbitrary program analyze and shape it. This setup requires a whole mess of virtual interfaces to be configured with ifconfig, but it’s really not so bad. We want to pass ethernet frames, so we use the link0 flag.

ifconfig tun0 create link0
ifconfig bridge0 create add em0 add tun0
ifconfig tun1 create link0
ifconfig vether0 create
ifconfig bridge1 create add vether0 add tun1

Now we have a vether interface connected, via bridges and tuns, to the network. We configure this interface with our IP (run dhclient if you like), and it effectively replaces em0 as the primary interface. This is an endpoint configuration; vether can be replaced by a physical interface for a router. All that’s missing is a program to pass traffic between the two tun interfaces.

Here’s a short Lua (luajit) program. It reads from the two tun interfaces and passes packets between them as they arrive. As the amount of traffic passed approaches our five minute quota, it starts probabilistically dropping packets. As written it lets you use 75% of your quota at full speed before rather sharply curtailing it. (As a bonus, it will occasionally print a frequency count of each byte to demonstrate other uses.)

netfilt.lua

See also trickle.

The key to a good password hashing function (whether it’s for storing the hash in an authentication system or to generate a key for encryption) is that it be slow. Well, not actually slow, but difficult. Well, not actually difficult, but expensive. The progression of hashing algorithms reflects this, from crypto to bcrypt to scrypt. The most frequently (only?) cited section of the scrypt paper is the table at the end comparing the cost to build cracking machines for various algorithms. The focus is on designing an algorithm that is computationally expensive, such that it becomes financially expensive to build a cracker. Nevertheless, as expensive as it would be, it is possible to build an scrypt cracker. What if we could use an algorithm that made it impossible, not just expensive, to build a cracking machine?

more...

Went to a movie this afternoon because it was raining. Because it was raining, the government issued a puddles of unusual depth alert, causing everybody’s phone to blow up mid movie, within the space of a few minutes. The weather catastrophe alert tone could have been a credible sound effect, coupled with some great positional surround sound, but all the lit up screens gave the trick away. Then it kept happening as the less important people were notified and started interrupting the movie. There’s always a few idiots who can’t turn their phone off, but the number of alerts received made it seem likely the alerts can override vibrate or even silent settings.

The good news is the alerts can be turned off (somewhere in phone settings) to avoid disturbance at the movies or elsewhere. I did so last summer after noticing alerts happen whenever it rains.

The movie was Edge of Tomorrow. I liked it. Groundhog Day meets Starship Troopers.

Amber Alert update: Amber Alert worked well. Apparently, their definition of success was waking people up at 4am, since there’s no mention of how the alert influenced the outcome of the children, which is how I would determine if it worked well or not.

Much has been written about the awfulness of Apple Maps, but sometimes it’s just awesome. I’m in California; I search for a Philz (because that’s what you do in the Bay Area), and I get... Philadelphia. iPhone knows me better than I thought.

Having lunch today in Startup Valley, breathing in the entrepreneurship and prepping my elevator pitches. Here’s my latest startup idea: Whiskme.

The number of small batch distilleries has increased tenfold in the past ten years, making it harder than ever for connoisseurs to sample the market’s many offerings. Whiskme is a peer to peer app that leverages the sharing economy to deliver rare and exotic whisky (and occasional whiskey) right to your door. Users of our location aware social network app list the contents of their whisky collection that they are willing to trade, and identify samples they would like to try. Then our advanced cloud based platform processes these requests using sophisticated machine learning algorithms to create potential swap pairs. When a match is found, both parties are notified via our app and a Lyft car is automatically dispatched to handle the physical transport. You never need to leave your home!

Any Wikipedia article that has been mathematized is practically guaranteed to be incomprehensible. And it’s definitely guaranteed to be illegible. The article for locality sensitive hashing doesn’t disappoint.

Why is math illiteracy rampant? Because nobody should be forced to read text like this unless they’re guilty of some heinous crime.